无需密码即可登录
[英]Possible to login without the digits in the password
问题描述
I just discovered that my password-protected area is not that protected. 
我刚刚发现我的密码保护区域没有受到保护。 Passwords are required to use digits. 需要密码才能使用数字。 Now, if the password has the digits at the end, somehow the login is accepted as long as the az part of the password is correct. 现在,如果密码末尾有数字,只要密码的az部分正确,就可以接受登录。 Why is that and how can I correct that? 为什么会这样,我该如何纠正呢? (PHP 5.4.28) (PHP 5.4.28)
function generate_hash($password)
{
$salt = openssl_random_pseudo_bytes(22);
$salt = '$2a$%13$' . strtr($salt, array('_' => '.', '~' => '/'));
return crypt($password, $salt);
}
$bind = array(":email" => $email, ":password" => crypt($password, generate_hash($password) ) );
$results = $db->select("users", 'email=:email AND password=:password', $bind);
1 个解决方案
解决方案1
2 已采纳 2014-06-19 19:35:03
I don't know about the specifics of your problem, but you're using the hash completely wrong. 我不知道您的问题的具体情况,但是您使用的哈希完全错误。 To use crypt , you do the following: 要使用crypt ,请执行以下操作:
On registration: 注册时:
- create a random salt 创建随机盐
- create the
$saltargument in a proper format:$2a$xx$...(note: no%, that may contribute to the problem)以正确的格式创建$salt参数:$2a$xx$...(注意:否%,这可能会导致问题) - hash the password with
crypt($password, $salt)用crypt($password, $salt)散列密码 - store the hash in the database 将哈希存储在数据库中
On login: 登录时:
- retrieve the password hash from the database based on the entered email 根据输入的电子邮件从数据库中检索密码哈希
- generate a hash using
crypt($enteredPassword, $databaseHash)使用crypt($enteredPassword, $databaseHash)生成哈希 - compare the two hashes 比较两个哈希
You're not doing that at all. 你根本不这样做。 You should probably also use password_hash instead, which takes care of a lot of pitfalls in the usage of the raw crypt API. 您可能还应该改用password_hash ,它可以避免使用原始crypt API时遇到的许多陷阱。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.